As attacks increase, U.S. struggles to recruit computer security experts
Wednesday, December 23, 2009
The federal government is struggling to fill a growing demand for skilled computer-security workers, from technicians to policymakers, at a time when network attacks are rising in frequency and sophistication.
Demand is so intense that it has sparked a bidding war among agencies and contractors for a small pool of special talent: skilled technicians with security clearances. Their scarcity is driving up salaries, depriving agencies of skills, and in some cases affecting project quality, industry officials said.
The crunch hits as the Pentagon is attempting to staff a new Cyber Command to fuse offensive and defensive computer-security missions and the Department of Homeland Security plans to expand its own "cyber" force by up to 1,000 people in the next three years. Even President Obama struggled to fill one critical position: Seven months after Obama pledged to name a national cyber-adviser, the White House announced Tuesday that Howard Schmidt, a former Bush administration official and Microsoft chief security officer, will lead the nation's efforts to better protect its critical computer networks.
The lack of trained defenders for these networks is leading to serious gaps in protection and significant losses of intelligence, national security experts said. The Government Accountability Office told a Senate panel in November that the number of scans, probes and attacks reported to the Department of Homeland Security's U.S. Computer Emergency Readiness Team has more than tripled, from 5,500 in 2006 to 16,840 in 2008.
"We know how we can be penetrated," said Sen. Benjamin L. Cardin (D-Md.), chairman of the Judiciary subcommittee on terrorism and homeland security. "We don't know how to prevent it effectively."
Indeed, the protection of critical computer systems and sensitive data, said former National Security Agency director William Studeman, may be the "biggest single problem" facing the national security establishment.
Agencies under attack
One evening in May 2006, a U.S. embassy employee in East Asia clicked on an innocent-looking e-mail attachment that opened the door to the most significant cyberattack the State Department has yet faced, allowing attackers operating through computers in China to send malicious computer code into the department's networks in the region.
State's cyber-emergency response team immediately went into action, working round-the-clock for two weeks to isolate the harmful code and craft a temporary patch that officials said prevented a massive data theft.
The department's response to the attack highlights how skills matter, experts said. In 2000, State had hired technicians -- the vast majority contractors -- who custom-built an intrusion detection system and trained people to identify malicious software and reverse-engineer it to determine an attack's goals and methods. As a result, department technicians in 2006 were able to contain the attack quickly, said Alan Paller of the SANS Institute, who has analyzed the case for the Center for Strategic and International Studies.
Unlike State, most government agencies and private companies lack the skills and resources to muster a robust containment effort.
Two months after the East Asia intrusion, the Commerce Department detected a similar attack -- but only after a deputy undersecretary was unable to log on to his computer. Contractor technicians were never able to identify the initial date of penetration into the computers of the Bureau of Industry and Security, which controls sensitive exports of technology that has both commercial and military uses.
It took eight days once the attack was discovered for technicians to install a filter to prevent leaks, and then they installed the wrong kind of filter, said Paller, sharing previously undisclosed findings about the incident, first reported in The Washington Post in October 2006.